[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3417
  • Last Modified:

pptp routing win2003

I have a win2003 server that is setup to do pptp ( vpn tunnels) The server has two interfaces.The first interface is set to 192.168.1.200/24 255.255.255.0 and the second interface is set to 192.168.2.2 255.255.255.128. If I connect to the vpn server via its external router address and the router then forwards all ports to 192.168.1.200. The vpn user then gets a address of :  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
  Physical Address. . . . . . . . . : 00-00-00-00-00-00 taken out for post
  Dhcp Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 192.168.2.8
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . : 192.168.2.8
  DNS Servers . . . . . . . . . . . : ***.***.*.*taken out for post
                                      ***.***.**.* taken out for post
  Primary WINS Server . . . . . . . : 192.168.0.10
  Secondary WINS Server . . . . . . : 192.168.1.200

From the vpn user, I am able to ping to the entire network and run any application just fine. The problem is from the inside LAN I am unable to make a direct connection or ping the vpn user, except from the server itself.  I am trying to get the LAN to connect to the VPN user the first route hop that the vpn user takes is 192.168.2.3 which is the internal interface on the server. But if you try to ping the remote user from the internal LAN then the first hope to the vpn user would be 192.168.2.2
The main question is : How do I add a static route and what would it be to allow a 192.168.0.0/24 or a 192.168.1.0/24 to route to the 192.168.2.2 or 192.168.2.3 interface? I am thinking that I would have to do this on the server and get it to say any traffic designated to the 192.168.2.0 send it to 192.168.2.3 or 192.168.2.2 and vice versa. I hope this make sense. I can post any addtional route statements,etc if need to be. Thank you all in advance for your help.
0
splonsky
Asked:
splonsky
  • 14
  • 10
1 Solution
 
DustbakCommented:
Hi

There are several ways of adding a static route. It can be done via a command box by using the command add route 'destination' 'subnetmask' 'gateway' 'metric' /persistent /y

In your situation it probably is easier to go to control panel/administration tools/routing and ras

Open Routing and RAS. Open the server and under IP routing you find a possibility to make a static route.

Goodluck
Dustbak
0
 
TJworldCommented:
We've seen this before but off the top of my head I can't remember the precise solution.

Can you post the "ipconfig /all" and "route print" results done on the server, and also on a LAN workstation that is having the problem.

I seem to recall it was all to do with the default gateway/route inside the LAN, and whether the users were connecting as RAS clients or Site-to-Site VPNs. Which are you having the problem with?

Once we fixed it all the VPN sites (we had about 10 at the time) could also ping each other.
0
 
splonskyAuthor Commented:
IPCONFIG /ALL Of Internal LAN Client
IP Address. . . . . . . . . . . . : 192.168.0.47
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.7
DHCP Server . . . . . . . . . . . : 192.168.0.12
DNS Servers . . . . . . . . . . . : xxx.xxx.xxx.x
Primary WINS Server . . . . . . . : 192.168.0.10
Secondary WINS Server . . . . . . : 192.168.1.200  
ROUTE PRINT OF CLIENT
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.7    192.168.0.47       1
    63.xxx.xxx.x       255.255.255.255      192.168.0.1    192.168.0.47       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0     192.168.0.47    192.168.0.47       1
     192.168.0.47   255.255.255.255        127.0.0.1       127.0.0.1       1
    192.168.0.255  255.255.255.255     192.168.0.47    192.168.0.47       1
    207.**.**.**.**  255.255.255.255      192.168.0.1    192.168.0.47       1
        224.0.0.0        240.0.0.0     192.168.0.47    192.168.0.47       1
  255.255.255.255  255.255.255.255     192.168.0.47    192.168.0.47       1
Default Gateway:       192.168.0.7
===========================================================================
Persistent Routes:
  None

Server Ipconfig /all
   Host Name . . . . . . . . . . . . : TIMBERLINE
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-**-**-**-**-**
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.2.3
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Server Adapter
   Physical Address. . . . . . . . . : 00-xx-xxx-xxx-xxx
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.200
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.9
   DNS Servers . . . . . . . . . . . : xxx.xxxx.xxxx.xx
                                              xxx.xxx.xxx.xx
   Primary WINS Server . . . . . . . : 192.168.0.10
   Secondary WINS Server . . . . . . : 192.168.1.200

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-0xxx-xxxx-xxxx-xxx
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.2.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.128
   Default Gateway . . . . . . . . . : 192.168.2.122
   DNS Servers . . . . . . . . . . . : 6xxx-xxx-xxx-xxx
                                              xx-xxx-xxx-xx
   NetBIOS over Tcpip. . . . . . . . : Disabled


Route Print from Server
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.9    192.168.1.200     20
          0.0.0.0          0.0.0.0    192.168.2.122      192.168.2.2     20
   24.xxx-xxxx-xxx  255.255.255.255      192.168.1.9    192.168.1.200     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0    192.168.1.200    192.168.1.200     20
    192.168.1.200  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.255  255.255.255.255    192.168.1.200    192.168.1.200     20
      192.168.2.0  255.255.255.128      192.168.2.2      192.168.2.2     20
      192.168.2.2  255.255.255.255        127.0.0.1        127.0.0.1     20
      192.168.2.3  255.255.255.255        127.0.0.1        127.0.0.1     50
      192.168.2.4  255.255.255.255      192.168.2.3      192.168.2.3      1
      192.168.2.9  255.255.255.255      192.168.2.3      192.168.2.3      1
    192.168.2.255  255.255.255.255      192.168.2.2      192.168.2.2     20
        224.0.0.0        240.0.0.0    192.168.1.200    192.168.1.200     20
        224.0.0.0        240.0.0.0      192.168.2.2      192.168.2.2     20
  255.255.255.255  255.255.255.255    192.168.1.200    192.168.1.200      1
  255.255.255.255  255.255.255.255      192.168.2.2      192.168.2.2      1
Default Gateway:       192.168.1.9
===========================================================================
Persistent Routes:
  None



IPCONFIG OF VPN USER
  Connection-specific DNS Suffix  . :
  Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
  Physical Address. . . . . . . . . : 00-xx-0x-x-x-x-x-x
  Dhcp Enabled. . . . . . . . . . . : No
  IP Address. . . . . . . . . . . . : 192.168.2.4
  Subnet Mask . . . . . . . . . . . : 255.255.255.255
  Default Gateway . . . . . . . . . : 192.168.2.4
  DNS Servers . . . . . . . . . . . : 6x.x.x.x.x.
                                             xxx.xxx.xx..xx.
  Primary WINS Server . . . . . . . : 192.168.0.10
  Secondary WINS Server . . . . . . : 192.168.1.200

Route Print of VPN User
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.2.4     192.168.2.4       1
          0.0.0.0          0.0.0.0      192.168.6.1   192.168.6.100       31
      6xx-xxx-xxx-xx   255.255.255.255      192.168.6.1   192.168.6.100       30
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.2.4  255.255.255.255        127.0.0.1       127.0.0.1       50
    192.168.2.255  255.255.255.255      192.168.2.4     192.168.2.4       50
      192.168.6.0    255.255.255.0    192.168.6.100   192.168.6.100       30
    192.168.6.100  255.255.255.255        127.0.0.1       127.0.0.1       30
    192.168.6.255  255.255.255.255    192.168.6.100   192.168.6.100       30
        224.0.0.0        240.0.0.0    192.168.6.100   192.168.6.100       30
        224.0.0.0        240.0.0.0      192.168.2.4     192.168.2.4       1
  255.255.255.255  255.255.255.255      192.168.2.4     192.168.2.4       1
  255.255.255.255  255.255.255.255    192.168.6.100   192.168.6.100       1
Default Gateway:       192.168.2.4
===========================================================================
Persistent Routes:
  None  
THE 192.168.6.0 NETWORK on the VPN User is the home LAN and the 192.168.2.0 Network is the VPN Tunnel.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
TJworldCommented:
The first thing that strikes me is your subnetting and default routes aren't matching up.

To reach the VPN client at 192.168.2.4 from LAN client at 192.168.0.47/24 means the LAN client needs a route to the 192.168.2.0/25 subnet.

It has no specific route for that.

It currently has a default gateway of 192.168.0.7 which is not the VPN server, or even on the VPN server's subnet(s).

There's no information about the default gateway 192.168.0.7 in your question, but it is instrumental in this scenario.

The 192.168.2.x and 192.168.1.x subnets are only reachable from the LAN client via 192.168.0.7 so we need to see its ipconfig and routes too! I assume it is a Windows server and not a router/switch appliance.
0
 
splonskyAuthor Commented:
I have a Cisco 3550 that are doing VLAN Routing
vlan1 192.168.0.7  Switch 1
vlan2 192.168.1.7  Switch 1
vlan 100 192.168.2.122 Switch 1

vlan1 192.168.0.8 Switch 2
vlan2 192.168.1.8 Switch 2
vlan100 192.168.2.123 switch 2

vlan1 192.168.0.9 switch3
vlan2 192.168.1.9 switch3
vlan100 192.168.2.124 switch 3

I point my default routes to vlan interface for what that use or server
the default route from there is 192.168.0.1 which is the router inteface from my provider.
0
 
splonskyAuthor Commented:
Trace from vpn user to user on LAN
Tracing route to 192.168.0.47 over a maximum of 30 hops

  1   331 ms   345 ms   384 ms  192.168.2.3
  2   350 ms   336 ms   393 ms  192.168.1.9
  3   345 ms   397 ms   360 ms  192.168.0.47

Trace complete.



PING AND TRACE FROM LAN USER TO VPN USER
 
ping 192.168.2.2

Pinging 192.168.2.2 with 32 bytes of data:

Reply from 192.168.2.2: bytes=32 time<1ms TTL=127
Reply from 192.168.2.2: bytes=32 time<1ms TTL=127

Ping statistics for 192.168.2.2:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

ping 192.168.2.3

Pinging 192.168.2.3 with 32 bytes of data:

Request timed out.

Ping statistics for 192.168.2.3:
    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss)
0
 
splonskyAuthor Commented:
from the switches
Protocol [ip]:
Target IP address: 192.168.2.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: vlan100
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

#ping 192.168.2.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

route statement of the switches
Gateway of last resort is 192.168.0.1 to network 0.0.0.0

C    192.168.0.0/24 is directly connected, Vlan1
C    192.168.1.0/24 is directly connected, Vlan2
     192.168.2.0/25 is subnetted, 1 subnets
C       192.168.2.0 is directly connected, Vlan100
S*   0.0.0.0/0 [1/0] via 192.168.0.1
0
 
splonskyAuthor Commented:
From the server I am able to ping the vpn user and ping any local user on the LAN.
But from any LAN user I can not ping a vpn user of 192.168.2.x But the VPN user can ping any where he wants to go.
I guess what I am asking is what route would I add via command line Example
route add -p 192.168.2.0 255.255.255.128 192.168.2.2 Metric 1
or would it be route add -p 192.168.2.0 255.255.255.128 192.168.2.3 Metric 1
or does it have to be since the 192.168.0.0/24 and 192.168.1.0/24 network can only get to the 192.168.2.2 interface would it be a statement of route add -p 192.168.0.0 255.255.255.0 192.168.2.2 Metric 1
This is where I am getting confused.
This a route print of the server:
Route Print from Server
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.9    192.168.1.200     20
          0.0.0.0          0.0.0.0    192.168.2.122      192.168.2.2     20
   24.xxx-xxxx-xxx  255.255.255.255      192.168.1.9    192.168.1.200     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.1.0    255.255.255.0    192.168.1.200    192.168.1.200     20
    192.168.1.200  255.255.255.255        127.0.0.1        127.0.0.1     20
    192.168.1.255  255.255.255.255    192.168.1.200    192.168.1.200     20
      192.168.2.0  255.255.255.128      192.168.2.2      192.168.2.2     20
      192.168.2.2  255.255.255.255        127.0.0.1        127.0.0.1     20
      192.168.2.3  255.255.255.255        127.0.0.1        127.0.0.1     50
      192.168.2.4  255.255.255.255      192.168.2.3      192.168.2.3      1
      192.168.2.9  255.255.255.255      192.168.2.3      192.168.2.3      1
    192.168.2.255  255.255.255.255      192.168.2.2      192.168.2.2     20
        224.0.0.0        240.0.0.0    192.168.1.200    192.168.1.200     20
        224.0.0.0        240.0.0.0      192.168.2.2      192.168.2.2     20
  255.255.255.255  255.255.255.255    192.168.1.200    192.168.1.200      1
  255.255.255.255  255.255.255.255      192.168.2.2      192.168.2.2      1
Default Gateway:       192.168.1.9
0
 
splonskyAuthor Commented:
I posted early but this is the response from a internal LAN user trying to ping a vpn user
Tracing route to 192.168.2.4 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.0.7
  2     *
So it seems like 192.168.0.7 ( 3550 Cisco Switch) doesn't know how to get to 192.168.2.2 or 192.168.2.3 or the vpn user
PING FROM SWITCH
But a ping from the switch to the vpn user is as follows:
Type escape sequence to abort.
Tracing the route to 192.168.2.4 VPN USER

  1  *  *  *
  2  *  *  *
  3  *  *  *

#ping 192.168.2.2 INTERFACE ON SERVER ( VPN)

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
pyramid49-96#ping 192.168.2.3 INTERFACE ON SERVER ( INTERNAL)

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.3, timeout is 2 seconds:
....

0
 
TJworldCommented:
Okay, thats helped a lot, thanks.

We need to concentrate on RRAS on the Windows 2003 server, which is what I assume is acting as your VPN server?

My brain's a bit fried right now thinking through all the routing issues but at the back of my mind is how we fixed the same problem a long time ago.

I'll search through the docs here and see if I can find the notes.
0
 
splonskyAuthor Commented:
Thanks !!!
0
 
TJworldCommented:
Aha! I've remembered what our issue was.

If the connection was RAS VPN then our LAN couldn't route through the VPN server to the client because RRAS doesn't add a route for that to it's routing table.

If the connection was Site-to-Site LAN then we would associated a static route with that VPN Interface and we would have full two-way connectivity.

I seem to remember the solution was to add a route into the VPN server's table manually, but it wasn't ideal if the VPN client IP addresses were being allocated by DHCP. We had to set each user to a static IP to make this work.
0
 
splonskyAuthor Commented:
I can force a vpn user to a dhcp ( static address) without any issues. Right now I have a vpn user that always will get 192.168.2.4 but I am still unclear about what exactly the static route should look like on the server
0
 
TJworldCommented:
I've just simulated the same scenario here by putting one of our PCs on the internet side of our router with its own Internet IP address and can get 2-way pings so I'll describe the topology and show you the routing tables in the hope you can see something missing in yours!

I've marked some routing table results with ** to indicate where I would focus my attention.

*** LAN PC IP 10.254.251.52 tweetypie.lan.domain.tld

Tracing route to popeye.lan.domain.tld [10.254.251.70]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  coyote.lan.domain.tld [10.254.251.15]
  2     2 ms     2 ms     1 ms  popeye.lan.domain.tld [10.254.251.70]

Active Routes:
Network Destination        Netmask          Gateway       Interface
          0.0.0.0          0.0.0.0    10.254.251.15   10.254.251.52
     10.254.251.0    255.255.255.0    10.254.251.52   10.254.251.52
    10.254.251.52  255.255.255.255        127.0.0.1       127.0.0.1
   10.255.255.255  255.255.255.255    10.254.251.52   10.254.251.52
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1
        224.0.0.0        240.0.0.0    10.254.251.52   10.254.251.52
  255.255.255.255  255.255.255.255    10.254.251.52   10.254.251.52
Default Gateway:     10.254.251.15
====================================================================
Persistent Routes:
  None

** Server coyote.lan.domain.tld **VPN Server **
 LAN IP 10.254.251.15
 RAS server IP 10.254.251.71
 Internet IP x.y.z.242

Active Routes:
Network Destination        Netmask          Gateway       Interface
          0.0.0.0          0.0.0.0     x.y.z.241    x.y.z.242
        10.1.10.0    255.255.255.0          0.0.0.0        ffffffff
        10.1.12.0    255.255.255.0          0.0.0.0        ffffffff
        10.1.13.0    255.255.255.0          0.0.0.0        ffffffff
        10.1.21.0    255.255.255.0          0.0.0.0        ffffffff
     10.254.251.0    255.255.255.0    10.254.251.15   10.254.251.15
    10.254.251.15  255.255.255.255        127.0.0.1       127.0.0.1
**    10.254.251.70  255.255.255.255    10.254.251.71   10.254.251.71
 **   10.254.251.71  255.255.255.255        127.0.0.1       127.0.0.1
   10.255.255.255  255.255.255.255    10.254.251.15   10.254.251.15
     x.y.z.240  255.255.255.248     x.y.z.242    x.y.z.242
     x.y.z.242  255.255.255.255        127.0.0.1       127.0.0.1
**    x.y.z.246  255.255.255.255     x.y.z.242    x.y.z.242
   x.255.255.255  255.255.255.255     x.y.z.242    x.y.z.242
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1
        224.0.0.0        224.0.0.0    10.254.251.15   10.254.251.15
        224.0.0.0        224.0.0.0     x.y.z.242    x.y.z.242
  255.255.255.255  255.255.255.255     x.y.z.242    x.y.z.242
Default Gateway:      x.y.z.241
====================================================================
Persistent Routes:
  None

** Internet

** RemotePC popeye.lan.domain.tld
 Internet x.y.z.246
 VPN client IP 10.254.251.70

Tracing route to tweetypie.lan.domain.tld [10.254.251.52]
over a maximum of 30 hops:

  1     3 ms     1 ms     1 ms  10.254.251.71
  2     2 ms     3 ms     1 ms  tweetypie.lan.domain.tld [10.254.251.52]

Active Routes:
Network Destination        Netmask          Gateway       Interface
          0.0.0.0          0.0.0.0     x.y.z.241     x.y.z.246
**         10.0.0.0        255.0.0.0    10.254.251.70    10.254.251.70
     10.254.250.0    255.255.255.0     10.254.250.1    10.254.250.1
    10.254.250.1  255.255.255.255        127.0.0.1        127.0.0.1
    10.254.251.70  255.255.255.255        127.0.0.1        127.0.0.1
   10.255.255.255  255.255.255.255    10.254.251.70    10.254.251.70
     x.y.z.240  255.255.255.248     x.y.z.246     x.y.z.246
**     x.y.z.242  255.255.255.255     x.y.z.246     x.y.z.246
     x.y.z.246  255.255.255.255        127.0.0.1        127.0.0.1
   x.255.255.255  255.255.255.255    x.y.z.246     x.y.z.246
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1
        224.0.0.0        240.0.0.0    10.254.251.70    10.254.251.70
        224.0.0.0        240.0.0.0     x.y.z.246     x.y.z.246
  255.255.255.255  255.255.255.255    10.254.250.1    10.254.250.1
  255.255.255.255  255.255.255.255     x.y.z.246     x.y.z.246
Default Gateway:      84.12.34.241
====================================================================
Persistent Routes:
  None

I think the main thing of note is that both the VPN server and the VPN client add a route to the other's Internet IP address.
0
 
splonskyAuthor Commented:
so basically if the vpn user ( WAN) ip address is 24.x.x.x.128 and its vpn address of 192.168.2.4
the server would then add a route statement of
route add 192.168.2.4 255.255.255.255 24.x.x.x.128 ? is that what is missing ? Or am I still just missing it
0
 
TJworldCommented:
Something just struck me.. your VPN server isn't physically connected to the Internet so I assume that VPN packets are being forwarded from 192.168.0.1 to 192.168.2.2 ? I'm thinking of how this might affect how the routing table will look.

Which physical interface on the VPN Server is RAS bound to? I assume its the Broadcom NetXtreme Gigabit Ethernet 192.168.2.2.

On the VPN Server the PPP adapter RAS Server (Dial In) Interface is on 192.168.2.3 so in your message timed 03:22PM I can't understand why you were unable to ping that address, but could not ping 192.168.2.2.

But you have the ping success from the switch to 192.168.2.2, so its getting a bit confused here!

Has the VPN Server's IP address changed during this testing?

Am I right in thinking that both the NICs in the VPN Server are wired to separate ports on the switch? Cisco 3550 vlan 100 switch 1 seems to be configured on IP 192.168.2.122 and you have a  2nd default route

0.0.0.0          0.0.0.0    192.168.2.122      192.168.2.2     20

To isolate whether the problem is in the switch can you attach a hub temporarily to the 192.168.1.200 interface of the VPN server and plug a workstation into the hub with an IP in the subnet 192.168.1.0/24 with its default route set to 192.168.1.200 and see if it can ping the VPN client.

Then move the hub to the 192.168.2.2 interface of the VPN server and reconfigure the LAN client to an IP in the subnet 192.168.2.0/25 with a default route of 192.168.2.2 and try the ping again.

If these are succesful you know the problem is with the switch configuration.
0
 
TJworldCommented:
>route add 192.168.2.4 255.255.255.255 24.x.x.x.128 ? is that what is missing ?

No, because the VPN server doesn't have an interface on 24.x.x.128 (the Internet). In your case the Interface that routes VPN traffic is intended to be 192.168.2.2.

Don't you just LOVE routing in complex scenarios?!
0
 
splonskyAuthor Commented:
ok, well it looks like I got some more in depth trouble shooting to work on. I will get a hub and do what you suggest and keep you posted. Thank you so much for all your time and help with this issue.
0
 
splonskyAuthor Commented:
1) Which physical interface on the VPN Server is RAS bound to? I assume its the Broadcom NetXtreme Gigabit Ethernet 192.168.2.2 ( YES)
2) Has the VPN Server's IP address changed during this testing? (NO)
3) Am I right in thinking that both the NICs in the VPN Server are wired to separate ports on the switch? Cisco 3550 vlan 100 switch 1 seems to be configured on IP 192.168.2.122 and you have a  2nd default route ( YES)
0
 
TJworldCommented:
Just as a quick experiment on one of your LAN workstations change it's default gateway to 192.168.2.2 and then try pinging a connected VPN client.

I seem to remember that was the problem we used to have when we had a separate firewall/Internet router that wasn't on our VPN Server. We used to have to manually add routes in all the workstations along the lines of:

route add -p 10.254.1.0 mask 255.255.255.0 10.254.251.20

where 10.254.251.20 was our VPN Server's LAN IP, and 10.254.1.0/24 was the client VPN. The default gateway was 10.254.251.1 at that time.

For you it would likely be

route add -p 192.168.2.0 mask 255.255.255.128 192.168.2.2

but its possible the switch might try to mess about with the packets seeing as it will receive them as the 'default gateway'. Here's hoping.

I hope you're remembering to do

route delete x y z

because we once ended up in a hell of mess when one of our juniors just kept adding routes to try and get it to work!
0
 
splonskyAuthor Commented:
No luck with the hub and laptop test. I can ping 192.168.2.2 if I am a user set to 192.168.2.99 255.255.255.128 192.168.2.2 I can only ping the 192.168.2.2 interface and still not a vpn user at 192.168.2.10

Same results back if I configure the laptop to 192.168.1.99 255.255.255.0 192.168.1.200 I can ping 192.168.1.200 but not 192.168.2.2. or 192.168.2.3
I could not ping 192.168.2.3 in any of the test
What I notice though is the vpn user is first hop is 192.168.2.3 so that makes sense why I wouldnt be able to ping the vpn users.
0
 
TJworldCommented:
Well at least we know it is the routing table/binding order.

RRAS keeps a separate Routing Table to the one you see with "route print" which you can get at by right-clicking the Static Routes node.

Also check the binding order in Network Properties, on the Advanced menu, Advanced Settings

Check the connections order of the adapters. In your case its going to be more difficult to deduce buts it worth shuffling them and seeing if you solve the problem!

It's now 3.25am and -1 celcius here in Nottingham, UK, so I'm finally off to bed!

I hope you make some progress while i'm resting :)
0
 
splonskyAuthor Commented:
Well I did happen to make some progress at finishing all of this Guinness beer that was sitting here. Its 9:34 am 15 celcius in Saint Louis MO
I am going to have to hand type all the routes on each interface because when you do a show route on each interface including the internal it won't let  just copy and paste.
0
 
TJworldCommented:
Guinness! Just the thought of it turns me green ;-p If i wanted to drink mud I'd go out into one of our fields here! I'll stick to Smirnoff Black neat :-D
 
Don't worry about trying to copy the routes out of RRAS to show here, I know what its like. You just need to apply your mind to comparing the results of route print with what the RRAS routes show.

Basically you're looking for the lack of a route to 192.168.2.4,5,6,7,8 etc from the VPN server on 192.168.2.3.

Your task is complicated by the fact the sometimes Windows uses localhost 127.0.0.1 to refer to itself as you'll have noticed. I often find a vector drawing on paper helps me understand it a lot easier.

I have to say too that I'm pretty sure we finally solved one of our problems with RRAS by simply disabling it then reconfiguring it! I know it sounds scary but it was worth it. If you're using VPN for RAS clients then you've not got anything in the way of remote site entires to recreate, or static routes bound to interfaces, etc.

The other thing you could do is build a test server with identical settings, enable RRAS on it and compare routing tables between the two.

0
 
splonskyAuthor Commented:
I got it all working. I will have to post everything and how I got it to work. But now I can ping both ways from internal to the vpn users. Thanks for everything even if it was just to listen to me rant and rave, Personally I think it was the Guinness beer.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 14
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now